httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] How to find if Revision 1179239 patch is in place
Date Mon, 13 Feb 2012 23:00:41 GMT
On February 13, 2012 17:28 , Murthy Ganti 
<> wrote:
> I am trying to find out if one of my Apache installation is vulnerable 
> to CVS-2011-4317 or not. The description of this vulnerability says 
> that this vulnerability exists in "2.2.x through 2.2.21, when the 
> Revision 1179239 patch is in place".
> My question is how do I determine if this Revision patch is in place 
> or not by looking at the source code for our installation ( I have 
> 2.2.17 and 2.2.19 installed)

If you see the following lines (the ones in green in the right-hand 
column) in the file server/protocol.c then the revision 1179239 patch is 
in place:

The most likely situation in which this would be the case is if you are 
using a version of Apache HTTP Server that is patched for you by an 
upstream distributor and you upgraded to a version in which the 
distributor back-ported the fix for CVE-2011-3368 but you did not 
upgrade to a version in which the distributor back-ported the fix for 

Or, this could arise if you compile 2.2.17 or 2.2.19 from source 
yourself and you patched the source to fix CVE-2011-3368 thus creating 
the vulnerability described in CVE-2011-4317 but you did not apply the 
patch to fix CVE-2011-4317 for some reason, despite applying other fixes.

   Mark Montague

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message